AnsweredAssumed Answered

Entropy for UNIX/Linux & Impact to SSO (SM) / IM / JVM / LDAP / DB (JDBC) Performance

Question asked by Alan Baugher Employee on Sep 27, 2013
Latest reply on Oct 24, 2018 by Patrick-Dussault

Hello All,

 

*** 2018/10/25  HotFix for the Identity Suite vApp for RNGD.

High CPU utilization noticed by rngd process. - CA Knowledge 

 

 

*** 2017/03/13 Edit: -  Updated deck based on recent questions from customers.

-  Entropy pumps should be added to any servers that uses security libraries, e.g. Directory Server, Database Servers, J2EE servers, and SSO/Siteminder Servers.     Use a quick test to see if your servers need to have the OS entropy pump added.

 

watch -n 1 cat /proc/sys/kernel/random/entropy_avail

 

If the return value is less than 1000, then please think about adding an Entropy Pump to all of your server(s).

 

 

### Prior Note ###

Recently I was engaged to determine the root issue of a performance related question for Vmware Linux server and SiteMinder.

After reviewing the bookshelves, the JVM vendors site, and many google searches, I was able to determine that there is a common thread to performance issues with Vmware Linux and any software solution that uses cryptographic routines.

I have put together a deck on how to address performance for SiteMinder, IM JCS (IAMCS), Web App Servers (Weblogic/WebSphere/Jboss), and other solutions that may use TLS/SSL or generate certs, that are related to a depletion of the entropy pool (/dev/random) on a virtualized/headless Linux/Unix server.


Enjoy / YMMV.


*** 2013/09/29 Edit. After additional research via NIST site, I have re-ordered the alternative recommendations with regards to FIPS.
Enclosing updated deck


*** 2013/10/10 Edit. Added a very useful EGD daemon process to the deck. HAVEGED This entropy "pump" will use volatile states of the CPU / Clock from virtualized servers to give them "boost" to speed up startup times for StieMinder/J2EE (Jboss/Weblogic/Websphere).


*** 2013/11/01 Edit.  Added business high level summary with current challenges about /dev/random.

 

*** 2016/09/29 - Refresh to bring this back to awareness.  Please don't use a soft link from /dev/urandom to /dev/random.  Why?  OS Software update/upgrade may/will wipe away these settings.   Please use an entropy pump daemon.  Recommend either HAVEGD (clock-cycle version) or the OS RNGD daemons.     Test your performance before and after, to amaze yourself.

Outcomes